| V-250982 | | Sentry must limit the number of concurrent sessions for the CLISH interface to an organization-defined number for each administrator account and/or administrator account type. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-250983 | | Sentry must be configured to limit the network access of the Sentry System Manager Portal behind the corporate firewall and whitelist source IP range. | Device management includes the ability to control the number of administrators and management sessions that manage a device. Limiting the number of al... |
| V-250984 | | Sentry must initiate a session lock after a 15-minute period of inactivity. | A session lock is a temporary network device or administrator-initiated action taken when the administrator stops work but does not log out of the net... |
| V-250987 | | Sentry must display the Standard Mandatory DOD Notice and Consent Banner in the Sentry web interface before granting access to the device. | Display of the DOD-approved use notification before granting access to the network device ensures privacy and security notification verbiage used is c... |
| V-250989 | | Sentry device must enforce a minimum 15-character password length. | Password complexity, or strength, is a measure of the effectiveness of a password in resisting attempts at guessing and brute-force attacks. Password ... |
| V-250990 | | Sentry must enforce password complexity by requiring that at least one uppercase character be used. | Use of a complex passwords helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measur... |
| V-250991 | | Sentry must enforce password complexity by requiring that at least one lowercase character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-250992 | | Sentry must enforce password complexity by requiring that at least one numeric character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-250993 | | Sentry must enforce password complexity by requiring that at least one special character be used. | Use of a complex password helps to increase the time and resources required to compromise the password. Password complexity, or strength, is a measure... |
| V-250997 | | Sentry must generate unique session identifiers using a FIPS 140-2 approved random number generator. | Sequentially generated session IDs can be easily guessed by an attacker. Employing the concept of randomness in the generation of unique session ident... |
| V-250999 | | Sentry must be configured to synchronize internal information system clocks using redundant authoritative time sources. | The loss of connectivity to a particular authoritative time source will result in the loss of time synchronization (free-run mode) and increasingly in... |
| V-251000 | | The Sentry must be configured to authenticate SNMP messages using a FIPS-validated Keyed-Hash Message Authentication Code (HMAC). | Without authenticating devices, unidentified or unknown devices may be introduced, thereby facilitating malicious activity. Bidirectional authenticati... |
| V-251005 | | Sentry must obtain its public key certificates from an appropriate certificate policy through an approved service provider. | For user certificates, each organization obtains certificates from an approved, shared service provider, as required by OMB policy. For federal agenci... |
| V-250985 | | Sentry must enforce approved authorizations for controlling the flow of management information within the network device based on information flow control policies. | A mechanism to detect and prevent unauthorized communication flow must be configured or provided as part of the system design. If management informati... |
| V-250986 | | Sentry must be configured to enforce the limit of three consecutive invalid logon attempts, after which time it must block any login attempt for 15 minutes. | By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, ... |
| V-250998 | | Sentry must generate an immediate real-time alert of all audit failure events requiring real-time alerts. | It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time aler... |
| V-251002 | | Sentry must offload audit records onto a different system or media than the system being audited. | Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information sys... |
| V-251003 | | Sentry must enforce access restrictions associated with changes to the system components. | Changes to the hardware or software components of the network device can have significant effects on the overall security of the network. Therefore, o... |
| V-251004 | | Sentry must be configured to conduct backups of system level information contained in the information system when changes occur. | This control requires the network device to support the organizational central backup process for system-level information associated with the network... |
| V-250988 | | Sentry must be configured to use DOD PKI as multi-factor authentication (MFA) for interactive logins. | Multi-factor authentication (MFA) is when two or more factors are used to confirm the identity of an individual who is requesting access to digital in... |
| V-250994 | | Sentry, for PKI-based authentication, must be configured to map validated certificates to unique user accounts. | Without mapping the PKI certificate to a unique user account, the ability to determine the identities of individuals or the status of their non-repudi... |
| V-250995 | | Sentry must use FIPS 140-2 approved algorithms for authentication to a cryptographic module. | Unapproved mechanisms that are used for authentication to the cryptographic module are not validated and therefore cannot be relied upon to provide co... |
| V-250996 | | Sentry must terminate all network connections associated with a device management session at the end of the session, or the session must be terminated after 10 minutes of inactivity except to fulfill documented and validated mission requirement. | Terminating an idle session within a short time period reduces the window of opportunity for unauthorized personnel to take control of a management se... |
| V-251001 | | Sentry must be configured to implement cryptographic mechanisms using a FIPS 140-2 approved algorithm to protect the confidentiality of remote maintenance sessions. | This requires the use of secure protocols instead of their unsecured counterparts, such as SSH instead of telnet, SCP instead of FTP, and HTTPS instea... |
| V-251006 | | Sentry must be configured to send log data to a central log server for the purpose of forwarding alerts to the administrators and the ISSO. | Without syslog enabled it will be difficult for an ISSO to correlate the users behavior and identify potential threats within the logs.... |
| V-251007 | | Sentry must be running an operating system release that is currently supported by MobileIron. | Network devices running an unsupported operating system lack current security fixes required to mitigate the risks associated with recent vulnerabilit... |
